155714Skris/* p5_pbev2.c */
2280297Sjkim/*
3280297Sjkim * Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL project
4280297Sjkim * 1999-2004.
555714Skris */
655714Skris/* ====================================================================
755714Skris * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
855714Skris *
955714Skris * Redistribution and use in source and binary forms, with or without
1055714Skris * modification, are permitted provided that the following conditions
1155714Skris * are met:
1255714Skris *
1355714Skris * 1. Redistributions of source code must retain the above copyright
14280297Sjkim *    notice, this list of conditions and the following disclaimer.
1555714Skris *
1655714Skris * 2. Redistributions in binary form must reproduce the above copyright
1755714Skris *    notice, this list of conditions and the following disclaimer in
1855714Skris *    the documentation and/or other materials provided with the
1955714Skris *    distribution.
2055714Skris *
2155714Skris * 3. All advertising materials mentioning features or use of this
2255714Skris *    software must display the following acknowledgment:
2355714Skris *    "This product includes software developed by the OpenSSL Project
2455714Skris *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
2555714Skris *
2655714Skris * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
2755714Skris *    endorse or promote products derived from this software without
2855714Skris *    prior written permission. For written permission, please contact
2955714Skris *    licensing@OpenSSL.org.
3055714Skris *
3155714Skris * 5. Products derived from this software may not be called "OpenSSL"
3255714Skris *    nor may "OpenSSL" appear in their names without prior written
3355714Skris *    permission of the OpenSSL Project.
3455714Skris *
3555714Skris * 6. Redistributions of any form whatsoever must retain the following
3655714Skris *    acknowledgment:
3755714Skris *    "This product includes software developed by the OpenSSL Project
3855714Skris *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
3955714Skris *
4055714Skris * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
4155714Skris * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
4255714Skris * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
4355714Skris * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
4455714Skris * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
4555714Skris * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
4655714Skris * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
4755714Skris * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
4855714Skris * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
4955714Skris * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
5055714Skris * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
5155714Skris * OF THE POSSIBILITY OF SUCH DAMAGE.
5255714Skris * ====================================================================
5355714Skris *
5455714Skris * This product includes cryptographic software written by Eric Young
5555714Skris * (eay@cryptsoft.com).  This product includes software written by Tim
5655714Skris * Hudson (tjh@cryptsoft.com).
5755714Skris *
5855714Skris */
5955714Skris
6055714Skris#include <stdio.h>
6155714Skris#include "cryptlib.h"
62109998Smarkm#include <openssl/asn1t.h>
6355714Skris#include <openssl/x509.h>
6455714Skris#include <openssl/rand.h>
6555714Skris
6655714Skris/* PKCS#5 v2.0 password based encryption structures */
6755714Skris
68109998SmarkmASN1_SEQUENCE(PBE2PARAM) = {
69280297Sjkim        ASN1_SIMPLE(PBE2PARAM, keyfunc, X509_ALGOR),
70280297Sjkim        ASN1_SIMPLE(PBE2PARAM, encryption, X509_ALGOR)
71109998Smarkm} ASN1_SEQUENCE_END(PBE2PARAM)
7255714Skris
73109998SmarkmIMPLEMENT_ASN1_FUNCTIONS(PBE2PARAM)
7455714Skris
75109998SmarkmASN1_SEQUENCE(PBKDF2PARAM) = {
76280297Sjkim        ASN1_SIMPLE(PBKDF2PARAM, salt, ASN1_ANY),
77280297Sjkim        ASN1_SIMPLE(PBKDF2PARAM, iter, ASN1_INTEGER),
78280297Sjkim        ASN1_OPT(PBKDF2PARAM, keylength, ASN1_INTEGER),
79280297Sjkim        ASN1_OPT(PBKDF2PARAM, prf, X509_ALGOR)
80109998Smarkm} ASN1_SEQUENCE_END(PBKDF2PARAM)
8155714Skris
82109998SmarkmIMPLEMENT_ASN1_FUNCTIONS(PBKDF2PARAM)
8355714Skris
84280297Sjkim/*
85280297Sjkim * Return an algorithm identifier for a PKCS#5 v2.0 PBE algorithm: yes I know
86280297Sjkim * this is horrible! Extended version to allow application supplied PRF NID
87280297Sjkim * and IV.
8855714Skris */
8955714Skris
90238405SjkimX509_ALGOR *PKCS5_pbe2_set_iv(const EVP_CIPHER *cipher, int iter,
91280297Sjkim                              unsigned char *salt, int saltlen,
92280297Sjkim                              unsigned char *aiv, int prf_nid)
9355714Skris{
94312826Sjkim    X509_ALGOR *scheme = NULL, *ret = NULL;
95280297Sjkim    int alg_nid, keylen;
96280297Sjkim    EVP_CIPHER_CTX ctx;
97280297Sjkim    unsigned char iv[EVP_MAX_IV_LENGTH];
98280297Sjkim    PBE2PARAM *pbe2 = NULL;
9955714Skris
100280297Sjkim    alg_nid = EVP_CIPHER_type(cipher);
101280297Sjkim    if (alg_nid == NID_undef) {
102280297Sjkim        ASN1err(ASN1_F_PKCS5_PBE2_SET_IV,
103280297Sjkim                ASN1_R_CIPHER_HAS_NO_OBJECT_IDENTIFIER);
104280297Sjkim        goto err;
105280297Sjkim    }
10659191Skris
107280297Sjkim    if (!(pbe2 = PBE2PARAM_new()))
108280297Sjkim        goto merr;
10955714Skris
110280297Sjkim    /* Setup the AlgorithmIdentifier for the encryption scheme */
111280297Sjkim    scheme = pbe2->encryption;
11255714Skris
113312826Sjkim    scheme->algorithm = OBJ_nid2obj(alg_nid);
114280297Sjkim    if (!(scheme->parameter = ASN1_TYPE_new()))
115280297Sjkim        goto merr;
11655714Skris
117280297Sjkim    /* Create random IV */
118280297Sjkim    if (EVP_CIPHER_iv_length(cipher)) {
119280297Sjkim        if (aiv)
120280297Sjkim            memcpy(iv, aiv, EVP_CIPHER_iv_length(cipher));
121306195Sjkim        else if (RAND_bytes(iv, EVP_CIPHER_iv_length(cipher)) <= 0)
122280297Sjkim            goto err;
123280297Sjkim    }
12455714Skris
125280297Sjkim    EVP_CIPHER_CTX_init(&ctx);
126109998Smarkm
127280297Sjkim    /* Dummy cipherinit to just setup the IV, and PRF */
128280297Sjkim    if (!EVP_CipherInit_ex(&ctx, cipher, NULL, NULL, iv, 0))
129280297Sjkim        goto err;
130280297Sjkim    if (EVP_CIPHER_param_to_asn1(&ctx, scheme->parameter) < 0) {
131280297Sjkim        ASN1err(ASN1_F_PKCS5_PBE2_SET_IV, ASN1_R_ERROR_SETTING_CIPHER_PARAMS);
132280297Sjkim        EVP_CIPHER_CTX_cleanup(&ctx);
133280297Sjkim        goto err;
134280297Sjkim    }
135280297Sjkim    /*
136280297Sjkim     * If prf NID unspecified see if cipher has a preference. An error is OK
137280297Sjkim     * here: just means use default PRF.
138280297Sjkim     */
139280297Sjkim    if ((prf_nid == -1) &&
140280297Sjkim        EVP_CIPHER_CTX_ctrl(&ctx, EVP_CTRL_PBE_PRF_NID, 0, &prf_nid) <= 0) {
141280297Sjkim        ERR_clear_error();
142280297Sjkim        prf_nid = NID_hmacWithSHA1;
143280297Sjkim    }
144280297Sjkim    EVP_CIPHER_CTX_cleanup(&ctx);
14555714Skris
146280297Sjkim    /* If its RC2 then we'd better setup the key length */
14755714Skris
148280297Sjkim    if (alg_nid == NID_rc2_cbc)
149280297Sjkim        keylen = EVP_CIPHER_key_length(cipher);
150280297Sjkim    else
151280297Sjkim        keylen = -1;
15255714Skris
153280297Sjkim    /* Setup keyfunc */
15455714Skris
155280297Sjkim    X509_ALGOR_free(pbe2->keyfunc);
15655714Skris
157280297Sjkim    pbe2->keyfunc = PKCS5_pbkdf2_set(iter, salt, saltlen, prf_nid, keylen);
15855714Skris
159280297Sjkim    if (!pbe2->keyfunc)
160280297Sjkim        goto merr;
16155714Skris
162280297Sjkim    /* Now set up top level AlgorithmIdentifier */
16355714Skris
164280297Sjkim    if (!(ret = X509_ALGOR_new()))
165280297Sjkim        goto merr;
166280297Sjkim    if (!(ret->parameter = ASN1_TYPE_new()))
167280297Sjkim        goto merr;
16855714Skris
169280297Sjkim    ret->algorithm = OBJ_nid2obj(NID_pbes2);
17055714Skris
171280297Sjkim    /* Encode PBE2PARAM into parameter */
17255714Skris
173280297Sjkim    if (!ASN1_item_pack(pbe2, ASN1_ITEM_rptr(PBE2PARAM),
174280297Sjkim                        &ret->parameter->value.sequence))
175280297Sjkim         goto merr;
176280297Sjkim    ret->parameter->type = V_ASN1_SEQUENCE;
17755714Skris
178280297Sjkim    PBE2PARAM_free(pbe2);
179280297Sjkim    pbe2 = NULL;
18055714Skris
181280297Sjkim    return ret;
18255714Skris
183280297Sjkim merr:
184280297Sjkim    ASN1err(ASN1_F_PKCS5_PBE2_SET_IV, ERR_R_MALLOC_FAILURE);
18555714Skris
186280297Sjkim err:
187280297Sjkim    PBE2PARAM_free(pbe2);
188280297Sjkim    /* Note 'scheme' is freed as part of pbe2 */
189280297Sjkim    X509_ALGOR_free(ret);
19055714Skris
191280297Sjkim    return NULL;
19255714Skris}
193238405Sjkim
194238405SjkimX509_ALGOR *PKCS5_pbe2_set(const EVP_CIPHER *cipher, int iter,
195280297Sjkim                           unsigned char *salt, int saltlen)
196280297Sjkim{
197280297Sjkim    return PKCS5_pbe2_set_iv(cipher, iter, salt, saltlen, NULL, -1);
198280297Sjkim}
199238405Sjkim
200238405SjkimX509_ALGOR *PKCS5_pbkdf2_set(int iter, unsigned char *salt, int saltlen,
201280297Sjkim                             int prf_nid, int keylen)
202280297Sjkim{
203280297Sjkim    X509_ALGOR *keyfunc = NULL;
204280297Sjkim    PBKDF2PARAM *kdf = NULL;
205280297Sjkim    ASN1_OCTET_STRING *osalt = NULL;
206238405Sjkim
207280297Sjkim    if (!(kdf = PBKDF2PARAM_new()))
208280297Sjkim        goto merr;
209280297Sjkim    if (!(osalt = M_ASN1_OCTET_STRING_new()))
210280297Sjkim        goto merr;
211238405Sjkim
212280297Sjkim    kdf->salt->value.octet_string = osalt;
213280297Sjkim    kdf->salt->type = V_ASN1_OCTET_STRING;
214238405Sjkim
215280297Sjkim    if (!saltlen)
216280297Sjkim        saltlen = PKCS5_SALT_LEN;
217280297Sjkim    if (!(osalt->data = OPENSSL_malloc(saltlen)))
218280297Sjkim        goto merr;
219238405Sjkim
220280297Sjkim    osalt->length = saltlen;
221238405Sjkim
222280297Sjkim    if (salt)
223280297Sjkim        memcpy(osalt->data, salt, saltlen);
224306195Sjkim    else if (RAND_bytes(osalt->data, saltlen) <= 0)
225280297Sjkim        goto merr;
226238405Sjkim
227280297Sjkim    if (iter <= 0)
228280297Sjkim        iter = PKCS5_DEFAULT_ITER;
229238405Sjkim
230280297Sjkim    if (!ASN1_INTEGER_set(kdf->iter, iter))
231280297Sjkim        goto merr;
232238405Sjkim
233280297Sjkim    /* If have a key len set it up */
234238405Sjkim
235280297Sjkim    if (keylen > 0) {
236280297Sjkim        if (!(kdf->keylength = M_ASN1_INTEGER_new()))
237280297Sjkim            goto merr;
238280297Sjkim        if (!ASN1_INTEGER_set(kdf->keylength, keylen))
239280297Sjkim            goto merr;
240280297Sjkim    }
241238405Sjkim
242280297Sjkim    /* prf can stay NULL if we are using hmacWithSHA1 */
243280297Sjkim    if (prf_nid > 0 && prf_nid != NID_hmacWithSHA1) {
244280297Sjkim        kdf->prf = X509_ALGOR_new();
245280297Sjkim        if (!kdf->prf)
246280297Sjkim            goto merr;
247280297Sjkim        X509_ALGOR_set0(kdf->prf, OBJ_nid2obj(prf_nid), V_ASN1_NULL, NULL);
248280297Sjkim    }
249238405Sjkim
250280297Sjkim    /* Finally setup the keyfunc structure */
251238405Sjkim
252280297Sjkim    keyfunc = X509_ALGOR_new();
253280297Sjkim    if (!keyfunc)
254280297Sjkim        goto merr;
255238405Sjkim
256280297Sjkim    keyfunc->algorithm = OBJ_nid2obj(NID_id_pbkdf2);
257238405Sjkim
258280297Sjkim    /* Encode PBKDF2PARAM into parameter of pbe2 */
259238405Sjkim
260280297Sjkim    if (!(keyfunc->parameter = ASN1_TYPE_new()))
261280297Sjkim        goto merr;
262238405Sjkim
263280297Sjkim    if (!ASN1_item_pack(kdf, ASN1_ITEM_rptr(PBKDF2PARAM),
264280297Sjkim                        &keyfunc->parameter->value.sequence))
265280297Sjkim         goto merr;
266280297Sjkim    keyfunc->parameter->type = V_ASN1_SEQUENCE;
267238405Sjkim
268280297Sjkim    PBKDF2PARAM_free(kdf);
269280297Sjkim    return keyfunc;
270238405Sjkim
271280297Sjkim merr:
272280297Sjkim    ASN1err(ASN1_F_PKCS5_PBKDF2_SET, ERR_R_MALLOC_FAILURE);
273280297Sjkim    PBKDF2PARAM_free(kdf);
274280297Sjkim    X509_ALGOR_free(keyfunc);
275280297Sjkim    return NULL;
276280297Sjkim}
277